From 21e7e45b77e026689b72f182aca4ba2ffd5e0a36 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Nov 2021 01:31:59 -0700 Subject: meta-google: gbmc-bridge: Provision NCSI deprecated addresses This scans the gbmcbr interface for public addresses, and adds the relevant addresses to the NCSI interface of the BMC. This is required for neighbor discovery to work from prod over the NCSI link, when the addresses do not already exist (BMC DHCP will not have them). Change-Id: I27ff0cd3c4750b752b35399b8a0288db5ac9fe28 Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 118 +++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in (limited to 'meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in new file mode 100644 index 000000000..da6f27a79 --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -0,0 +1,118 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return + +gbmc_ncsi_br_deprecated_ips_init= +gbmc_ncsi_br_deprecated_ips_confip= +gbmc_ncsi_br_deprecated_ips_lastip= + +gbmc_ncsi_br_deprecated_ips_update() { + [ -n "$gbmc_ncsi_br_deprecated_ips_init" ] || return + [ "$gbmc_ncsi_br_deprecated_ips_confip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ] || return + gbmc_ncsi_br_deprecated_ips_confip="$gbmc_ncsi_br_deprecated_ips_lastip" + + printf 'gBMC Bridge NCSI Deprecated Addrs: %s\n' \ + "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2 + + local contents= + if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then + local pfx_bytes=() + ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" + + local pfx="$(ip_bytes_to_str pfx_bytes)" + pfx_bytes[8]=0 + pfx_bytes[9]=0 + local host_pfx="$(ip_bytes_to_str pfx_bytes)" + read -r -d '' contents <"$file" + fi + done + + # Ensure that systemd-networkd performs a reconfiguration as it doesn't + # currently check the mtime of drop-in files. + touch -c /etc/systemd/network/*-bmc-@NCSI_IF@.network + + if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then + networkctl reload && networkctl reconfigure @NCSI_IF@ + fi + + read -r -d '' contents <"$rfile" + systemctl reset-failed nftables && systemctl --no-block restart nftables || true +} + +gbmc_ncsi_br_deprecated_ips_hook() { + if [ "$change" = 'init' ]; then + gbmc_ncsi_br_deprecated_ips_init=1 + gbmc_ip_monitor_defer + elif [ "$change" = 'defer' ]; then + gbmc_ncsi_br_deprecated_ips_update + elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' ] && + [ "$scope" = 'global' -a "$fam" = 'inet6' ]; then + local pfx_bytes=() + ip_to_bytes pfx_bytes "$ip" || return + # No ULA Addresses + if (( pfx_bytes[0] & 0xfe == 0xfc )); then + return + fi + # We only want to allow a ::fd0x address, where x>0 + if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then + return + fi + for (( i = 10; i < 16; ++i )); do + if (( pfx_bytes[i] != 0 )); then + return + fi + done + if [ "$action" = 'add' -a "$ip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then + gbmc_ncsi_br_deprecated_ips_lastip="$ip" + gbmc_ip_monitor_defer + fi + if [ "$action" = 'del' -a "$ip" = "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then + gbmc_ncsi_br_deprecated_ips_lastip= + gbmc_ip_monitor_defer + fi + fi +} + +GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_br_deprecated_ips_hook) + +gbmc_ncsi_br_deprecated_ips_lib=1 -- cgit v1.2.3 From 2f5e1695c9f967e8d11415502b1c08affd8955a4 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Nov 2021 01:31:59 -0700 Subject: meta-google: gbmc-ncsi-config: Fix missing include We use functions from the network-sh library and need to include it. Change-Id: I7f78b7dd37c4e5d38342c4625c26c4b583133bf5 Signed-off-by: William A. Kennington III --- meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index da6f27a79..796e40584 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -14,6 +14,8 @@ [ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return +source /usr/share/network/lib.sh || exit + gbmc_ncsi_br_deprecated_ips_init= gbmc_ncsi_br_deprecated_ips_confip= gbmc_ncsi_br_deprecated_ips_lastip= -- cgit v1.2.3 From 3dbea9350f23bbf2a4b3909e1d6bab157edba7fc Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Nov 2021 01:31:59 -0700 Subject: meta-google: gbmc-bridge: Add stateless deprecated addresses We were missing this address but we want neighbor discovery from outside the BMC to work against this range. Change-Id: I6ef139486f382df21596c460626bfe2f692c7236 Signed-off-by: William A. Kennington III --- .../recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 796e40584..7b0702570 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -34,6 +34,8 @@ gbmc_ncsi_br_deprecated_ips_update() { ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" local pfx="$(ip_bytes_to_str pfx_bytes)" + (( pfx_bytes[9] &= 0xf0 )) + local stateless_pfx="$(ip_bytes_to_str pfx_bytes)" pfx_bytes[8]=0 pfx_bytes[9]=0 local host_pfx="$(ip_bytes_to_str pfx_bytes)" @@ -42,6 +44,9 @@ gbmc_ncsi_br_deprecated_ips_update() { Address=$pfx/128 PreferredLifetime=0 [Address] +Address=$stateless_pfx/128 +PreferredLifetime=0 +[Address] Address=$host_pfx/128 PreferredLifetime=0 EOF -- cgit v1.2.3 From b823f89c8cd0da678c78e242bf12c25f414d0697 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 23 Nov 2021 20:54:56 -0800 Subject: meta-google: gbmc-ncsi-config: Fix deprecated address nft The nft rules were not deleted in cases where the public addresses are removed from the gbmc-br interface. This would create broken rules. Change-Id: I22a88f1fb15ccbea49e586061ea8e93bbbfb1bc1 Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 29 +++++++++++++--------- 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 7b0702570..677ef28c3 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -29,6 +29,7 @@ gbmc_ncsi_br_deprecated_ips_update() { "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2 local contents= + local nfcontents= if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then local pfx_bytes=() ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" @@ -49,6 +50,16 @@ PreferredLifetime=0 [Address] Address=$host_pfx/128 PreferredLifetime=0 +EOF + read -r -d '' nfcontents <"$rfile" + if [ -z "$nfcontents" ]; then + rm -f "$rfile" + else + printf '%s' "$nfcontents" >"$rfile" + fi systemctl reset-failed nftables && systemctl --no-block restart nftables || true } -- cgit v1.2.3 From 7356f8ebcb6b0e4c06018c748b7c5771b41e007e Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 15 Dec 2021 02:21:52 -0800 Subject: meta-google: nftables: Make rule loading atomic This ensures that all of the rules are processed and unexpected packets are not allowed or blocked by the kernel at any time. Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 2 +- meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 4 +--- .../recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh | 4 +--- meta-google/recipes-google/nftables/files/nft-configure.sh | 14 +++++++++----- meta-google/recipes-google/nftables/files/nftables.service | 1 + 5 files changed, 13 insertions(+), 12 deletions(-) (limited to 'meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 677ef28c3..9d9f7899e 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -88,7 +88,7 @@ EOF else printf '%s' "$nfcontents" >"$rfile" fi - systemctl reset-failed nftables && systemctl --no-block restart nftables || true + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_br_deprecated_ips_hook() { diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 30b2b65e4..074ec5785 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -46,9 +46,7 @@ gbmc_ncsi_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_nft_hook() { diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh index 980f7b6d6..ca4e15a1f 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh @@ -37,9 +37,7 @@ gbmc_br_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_br_nft_hook() { diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh index 05bb23d8b..8c8e058b7 100644 --- a/meta-google/recipes-google/nftables/files/nft-configure.sh +++ b/meta-google/recipes-google/nftables/files/nft-configure.sh @@ -8,10 +8,14 @@ for dir in /run/nftables /etc/nftables /usr/share/nftables; do done let i+=1 done -rc=0 -nft flush ruleset || rc=$? + +rules="" +trap 'rm -f -- "$rules"' TERM INT EXIT ERR +rules="$(mktemp)" || exit +echo 'flush ruleset' >"$rules" for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do - echo "Executing ${basemap[$key]}" >&2 - nft -f "${basemap[$key]}" || rc=$? + echo "Loading ${basemap[$key]}" >&2 + echo '' >>"$rules" + cat "${basemap[$key]}" >>"$rules" done -exit $rc +nft -f "$rules" || exit diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service index 770a3d3ac..1a93812b8 100644 --- a/meta-google/recipes-google/nftables/files/nftables.service +++ b/meta-google/recipes-google/nftables/files/nftables.service @@ -5,6 +5,7 @@ Before=network-pre.target Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/nft-configure.sh +ExecReload=/usr/libexec/nft-configure.sh ExecStop=/usr/sbin/nft flush ruleset [Install] -- cgit v1.2.3